#!/usr/bin/env python3
"""
Usage: python create_user.py <email> <name> <password> [--admin]

Creates a GUI user account in users.json.
The user will be required to change their password on first login.
Use --admin to grant admin privileges.
"""
import hashlib
import json
import os
import secrets
import sys
import uuid
from datetime import datetime

USERS_FILE = os.path.join(os.path.dirname(__file__), "users.json")


def hash_password(password: str, salt: str | None = None) -> tuple:
    if salt is None:
        salt = secrets.token_hex(16)
    key = hashlib.pbkdf2_hmac("sha256", password.encode(), salt.encode(), 200_000)
    return key.hex(), salt


def create_user(email: str, name: str, password: str, role: str = "user") -> str:
    users: dict = {}
    if os.path.exists(USERS_FILE):
        with open(USERS_FILE) as f:
            users = json.load(f)

    for u in users.values():
        if u["email"] == email:
            print(f"[!] A user already exists with email {email}")
            print("    Delete the entry from users.json first if you want to recreate it.")
            sys.exit(1)

    user_id = str(uuid.uuid4())
    pw_hash, pw_salt = hash_password(password)
    users[user_id] = {
        "id": user_id,
        "email": email,
        "name": name,
        "role": role,
        "password_hash": pw_hash,
        "password_salt": pw_salt,
        "is_default_password": True,
        "created_at": datetime.now().isoformat(),
    }

    with open(USERS_FILE, "w") as f:
        json.dump(users, f, indent=2)

    print(f"\n✓ User created: {name} <{email}> [{role}]")
    print(f"  Default password: {password}")
    print(f"  The user will be prompted to change it on first login.\n")
    return user_id


if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("Usage: python create_user.py <email> <name> <password> [--admin]")
        sys.exit(1)

    _email    = sys.argv[1]
    _name     = sys.argv[2]
    _password = sys.argv[3]
    _role     = "admin" if "--admin" in sys.argv else "user"
    create_user(_email, _name, _password, _role)